Notarising Plugins

Well I’m looking for help on how to notarize plugins.

What did/tried so far. I set hardend runtime in Projucer and Devoloper ID for signing. I archived everything in XCode but if I go to organizer and press “Distribute content” it only offers me “Build product” and “Archive”.
I was wondering if it is because these are plugins and no apps so I tried it with the standalone-app. And for this notarization works fine, so seems that the notarization process is different for plugins.

I also wanted to try the manual way with terminal, but there I get an Error which says it “altool” is an unknown command.

Also I’m confused do I have to notarize the plugins themself before making an installer or is it enough to just notarize the installer? I was told you would have to notarize them before building an installer, but as I understood the documentation of Apple packing them in an installer for notarization would be fine and it would notarize both the plugins and the installer.

What seems to work for me is this:

  • code-sign non-AAX plugins (with hardened run-time and timestamp)
  • use wraptool to sign AAX plugins (with option to use hardened run-time and timestamp)
  • use productsign to sign the installer (I use Packages to make my installer)
  • notarize the installer

If altool can’t be found, maybe you need to use “xcrun altool” instead?

1 Like

I don’t have an AAX-version. That’s something for another time.

Could you maybe explain the process of signing? Or do you know any good tutorial for that?
If I get it right I have to make an archive in XCode, then build the plugins and pack them in to a .zip and upload the .zip for notarization, right?

But from that point on where I zipped the plugins I have no idea how to continue^^.

What works for me (and I’m sure the build step below can be improved/automated, but I don’t mind doing it this way, for now) is this:

  • in Xcode, I select “MyProduct - All” as build target and do “Build for - Profiling” (this builds the Release versions of my plugins; you may need to double-check that the flag “Build active architecture only” is set to “No”, but it should by default I think)
  • then I do this on the command line to sign and then verify (here for the AU version, but you need to do this for VST, VST3, … too):
codesign --sign "Developer ID Application: MyCompany" -f -o runtime --timestamp -v "MyProduct.component"
codesign --verify -v "MyProduct.component"
  • at this point, I have code-signed versions of my plugin, and I now run the Packages application (see: WhiteBox - Packages ) to package up everything into a .pkg file named “MyProductInstallerUnsigned.pkg”
packagesbuild -v "MyProductInstaller.pkgproj"
  • I then sign the installer .pkg with this:
productsign --sign "Developer ID Installer: MyCompany" "MyProductInstallerUnsigned.pkg" "MyProductInstaller.pkg"
rm "MyProductInstallerUnsigned.pkg" 'MyCompany' '' 'mypassword' 'com.mycompany.MyProductInstaller.pkg' "MyProductInstaller.pkg"
  • I then also do a final assessment with spctl:
spctl --assess -vvv --type install "MyProductInstaller.pkg"

Also for me it took quite some reading up around the web + good help from some friendly forum people here to find out about all the various steps to get here, so I hope this helps…

Disclaimer: there might be typos, and you’ll need to adjust product name, company and probably some paths in the commands above…


So I’m now at that step where I sign the installer. Till now I only signed in XCode with autosign, so sorry if this is a stupid question.

But what do I put in for “Developer ID Application: MyCompany” Just replacing MyCompany dosen’t seem to work.

OK. First: just saying “it doesn’t work” does not help anyone to understand what’s going wrong for you.
You should at least provide the output that indicates that it’s “not working”, if you want someone here to help you further… This is a general thing we all need to learn: people can’t help you if you don’t show the info about how it’s not working…

That being said:

You are talking about signing the installer now.
Then you say you replaced MyCompany in “Developer ID Application: MyCompany”.
Also for me, that won’t work, because the line I posted in my previous help shows this:
“Developer ID Installer: MyCompany”
Note the difference?
There are 2 certificates in play here: one for code signing and one for singing my installer.
You can create certificates when you log in to your Apple developer account.
I hope this helps you on your way a bit further.

Edit: Just for all clarity, this is what I do for distributing a plugin outside the Mac App Store.

Ok sry for not giving enough information, however your answer was never the less what I needed to know ^^, so thanks for that.

But now I’m stuck at the script if I try to run it I get following Error

ERROR: submitting app for notarization failed! See log below:
xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun

I inserted the following details
‘MyCompany’ = Team-ID
‘’ = Mail of my Apple ID
‘mypassword’ = App specific password
‘com.mycompany.MyProductInstaller.pkg’ = com.d1rtyduck.Name of installer
“MyProductInstaller.pkg” = Name of Installer

OK, good, almost there!
A quick Google search with your error showed me this:

(you probably don’t have the command-line tools installed?)

1 Like

Now it finally worked. Thanks a lot for your help.

One thing just in case anyone else is having the same problem and following this:
My first notarization request was denied, reason for this was that the plugins where signed wrong, I was building the plugins with auto-sign in xCode so I skipped the signing process KoenTanghe described. I then did everything like he described with manual (re)signing and it worked and the notarization was excepted by Apple.